Malicious PDF — malware analysis report

Static analysis result for SHA-256 a36d1bff0219cc7a…

MALICIOUS

PDF

68.9 KB Authoring application: PDFBox
MD5: f5e09c989f1474be86d2ae63cb48fbb3 SHA-1: bb6ac9ed9dfd9df18c32cf6bee084b2877b4f8ca SHA-256: a36d1bff0219cc7a981b1782a12db13a0948fadaa67750fffc6bbf66df6c5485
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF was flagged by multiple critical heuristics, including ClamAV and a machine learning classifier, indicating malicious intent. The PDF_SEO_LINK_FARM heuristic identified a large number of external links, with the primary domain being www.happyeverydaywithsk.com. The document body, though heavily corrupted, contains some of these URLs, reinforcing the finding of a link farm designed to redirect users to potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.happyeverydaywithsk.com/uploads/1/3/0/8/130814219/8130689.pdf
    • http://sproutmagazine.org/uploads/1/3/0/6/130620585/7353917.pdf
    • http://kindearthproducts.com/uploads/1/3/0/3/130313803/3b1d1ea75d.pdf
    • http://santexrealestate.com/uploads/1/3/0/5/130551745/b567ab05ebb8.pdf
    • http://miputt.com/uploads/1/3/0/8/130873786/dubudet-duvexotu-talibomimeferam.pdf
    • http://nhcohousing.org/uploads/1/3/0/2/130272851/xuzudasoma.pdf
    • http://protopcbassembly.com/uploads/1/3/0/5/130551777/d9420b3bcc6.pdf
    • http://restoreactive.ca/uploads/1/3/0/2/130291635/pixit_vuzurefujuv.pdf
    • http://prestissimopress.com/uploads/1/3/0/5/130538841/f3d46ea7b.pdf
    • http://mta-sts.joesavd.com/uploads/1/3/0/4/130483633/3d9c13ff6.pdf
    • http://joyceandcraig.com/uploads/1/3/0/2/130270945/laleg.pdf
    • http://disneychristmasparty.com/uploads/1/3/0/4/130483761/5395627.pdf
    • http://sugaringusa.com/uploads/1/3/0/8/130814674/womanogagim.pdf
    • http://dine-juneau.com/uploads/1/3/0/7/130776457/vimuwab-sibikejuzu-jenudo-fobowidatowa.pdf
    • http://surom.com/uploads/1/3/0/8/130814032/gijamugakimul.pdf
    • http://boshuster.org/uploads/1/3/0/7/130776874/276620.pdf
    • http://fiercetruth.net/uploads/1/3/0/2/130273788/54ef31f8a0f0bf1.pdf
    • http://moribanlandscapes.com/uploads/1/3/0/2/130289332/mixapog.pdf
    • http://ryanmurrayconductor.com/uploads/1/3/0/3/130323968/8b429e78bc.pdf
    • http://sustainshelby.com/uploads/1/3/0/3/130312923/fd938c345d97d87.pdf
    • http://seedovation.org/uploads/1/3/0/6/130604589/nuzufalemogon.pdf
    • http://campaign500.com/uploads/1/3/0/8/130814623/7b38b6c.pdf
    • http://sta-66-99-58-194.ladse.org/uploads/1/3/0/6/130621965/130621965.html#romeo+and+juliet+act+2+scene+5+character+analysis

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000016a6.bin
608d9ae1438ce2f00f90c901ec0ad75868613a9b0cb66fab2d43c02c75757508		 pdf-font-stream PDF embedded font (sfnt) at offset 0x16A6 8440 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.